Today, I am super excited to help you reinforce your site’s security against the most common type of security breach, i.e., brute force attacks. The attack is pretty simple. You keep guessing the username and password, till you get it right. Usually, they’re performed by bots which are capable of trying thousands of combinations every minute.

The internet is flooded with content featuring fixes to prevent brute force attacks. However, what makes this post different from others is that I’ll explain the same using an incredible free service which Cloudflare offers to its users.

I am talking about the free Page Rules which can help you block or scan visitors landing to your wp-admin, wp-login.php, and xmlrpc.php and other parts of your WordPress website.

⚡️ Cloudflare

Those who know little about Cloudflare then, it delivers services like CDN, DNS, web security, and optimization. Precisely, it makes a website fast and safe to use. My first interaction with Cloudflare was about their managed DNS service. It manages all of my domains through its user-friendly interface. Once my website is a part of the Cloudflare’s community, it routes my web traffic through its network.

An interesting feature which I’m going to share is that by linking your domains to Cloudflare’s DNS, you get access to three free page rules. These can be implemented anywhere in your websites to block threats and limit bots hence, protecting your bandwidth and server resources.

And trust me I’m pretty happy with this service. All of my Cloudflare-powered websites have experienced a significant improvement against brute force attacks. Or let me say that now there are hardly any failed login attempts.

📝 Page Rules Overview

Broadly speaking, Page Rules allow you to perform multiple tasks on the page’s URL like security, caching, redirects, enabling and disabling of various services. However, the scope of this article revolves around how these can be implemented to prevent brute force attacks. So, let’s stick to that.

A Page Rule responds to brute force attacks which are made on your wp-admin, wp-login.php, and xmlrpc.php files. It only happens when a given URL pattern matches the following format:

<scheme>://<hostname><:port>/<path>

An example using each component would be:

yourdomain.com/wp-admin

Both the scheme and port components are optional. Omitting these two would mean that the URL matching is done for both http:// and https:// protocols and on all ports. However, you can add an asterisk (*) to match a series of similar patterns rather than just one.

✅ Browser Integrity Check

While talking specifically about brute force attacks, Cloudflare offers an exclusive check feature to counter these. It’s called the Browser Integrity Check (BIC). This feature functions similar to a Bad Behavior request. It looks for common HTTP headers which are usually breached and denies access to your page. You can find this feature under the Firewall app.

What I really like about BIC is that you can selectively enable it in areas which are most prone to brute force attacks by implementing a page rule.

⚙️ Setting Up Cloudflare Page Rules

By now, you know that Cloudflare acts like a firewall between your domain and server. Let’s find out how you can set these page rules with a free Cloudflare account.

You get started with the initial setup. It begins with creating an account at Cloudflare and typing in your domain name. From here, Cloudflare will automatically fetch the DNS records from your current web host and display the new name servers. Next, you’ll switch to new name servers which Cloudflare scanners have generated for you. Once things get done, you can setup Cloudflare page rules and other security features to protect your site.

✌️ Adding a New Page Rule

Once the Cloudflare is integrated with your site, go to the Page Rules icon at the top. With free domains, you can make up to three page rules per website. The number increases as you shift from Pro domains to enterprise level customers.

👉 To create a new Page Rule in the Cloudflare Dashboard, follow these steps:

On the top-left corner click the drop-down menu to select your domain.

Click the “Page Rules” app.

Select “Add new rule” and enter the pattern you want to match and choose the rules you want to apply.

🍒 Adding Page Rules to Stop Brute Force Attacks

Shortly, I’ve mentioned that the three zones that are most vulnerable to brute force attacks are your wp-admin, wp-login.php, and xmlrpc.php files. So, I’ll create a rule for each of these files with relevant matches.

Page Rule Settings for wp-login.php File

This page rule is only for a bot or someone who’s trying to access thewp-login.php file and not the rest of your site.

URL Matches: *yourdomain.com/wp-login.php*

First Setting: Browser Integrity Check – On

Second Setting: Security level – I’m under attack.

Page Rule Settings for wp-admin.php File

This page rule is only for a bot or someone who’s trying to access thewp-admin.php file and not the rest of your site.

URL Matches: *yourdomain.com/wp-admin.php*

First Setting: Browser Integrity Check – On

Second Setting: Security level – I’m under attack.

Page Rule Settings for xmlrpc.php File

This page rule is only for a bot or someone who’s trying to access thexmlrpc.php file and not the rest of your site.

URL Matches: *yourdomain.com/xmlrpc.php*

First Setting: Browser Integrity Check – On

Second Setting: Security level – I’m under attack.

The final result is seen in the screenshot below where I’ve added three free page rules for my demo site a2podcast.com.

📣 All these page rules are applied based on the order they appear. If you want to change the position of a page rule, you can reorder it by moving it up or down on the list using the icon on the left-hand side.

That’s it for today. I think this is an intelligent move to protect your WordPress sites against brute force attacks. I am using page rules on my websites, and the results are mind boggling. Now I can sit back and relax and let Cloudflare protect my sites. You should try it out as well and let me know your feedback about it.

Maedah Batool is a WordPress Core Contributor, Technical Dev Manager and a part-time Journalist. She created a tech-training startup called FinkTanks where she has taught 1,000+ girls how to code with WordPress.

Thanks for sharing your Cloudflare tips, Maedah. Excellent post! Your settings for xmlrpc.php seem like a better approach than disabling XML-RPC or redirecting requests to another page. Especially for sites that do need to utilize that function and want to stay secure.